PaymentPulse

Security Policy

Last updated: February 9, 2026

1. Reporting a Vulnerability

If you discover a security vulnerability in PaymentPulse, we appreciate your help in disclosing it to us responsibly. Please email us at security@paymentpulse.io with the following information:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your name and contact information (optional, for attribution)

2. What to Expect

We take all security reports seriously. Here is what you can expect from us:

  • Acknowledgement: We will acknowledge receipt of your report within 48 hours.
  • Assessment: We will investigate and validate the vulnerability within 5 business days.
  • Resolution: Critical vulnerabilities will be patched within 7 days. Non-critical issues will be addressed in a reasonable timeframe.
  • Notification: We will notify you when the issue has been resolved.

3. Scope

The following are in scope for security reports:

  • The PaymentPulse web application (paymentpulse.io)
  • The PaymentPulse API (api.paymentpulse.io)
  • The PaymentPulse client portal
  • Authentication and authorization mechanisms
  • Data handling and storage

The following are out of scope:

  • Social engineering attacks (e.g., phishing)
  • Denial of service (DoS/DDoS) attacks
  • Physical security of our infrastructure
  • Third-party services (Stripe, Resend, Plaid, etc.)
  • Issues already known or previously reported

4. Safe Harbor

We will not take legal action against researchers who discover and report security vulnerabilities in good faith, provided they:

  • Do not access, modify, or delete data belonging to other users
  • Do not disrupt the availability of our services
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
  • Make a good-faith effort to avoid privacy violations

5. Security Practices

PaymentPulse employs the following security practices to protect your data:

  • All data is encrypted in transit using TLS 1.2+
  • Sensitive data (tax IDs, bank tokens) is encrypted at rest using AES-256-GCM
  • Passwords are hashed using bcrypt with appropriate salt rounds
  • API rate limiting to prevent abuse
  • Security headers (CSP, HSTS, X-Frame-Options) on all responses
  • Regular dependency updates and vulnerability scanning
  • GDPR-compliant data handling with right to deletion

6. Contact

For security concerns, email security@paymentpulse.io. For general inquiries, contact support@paymentpulse.io.

Blackbox Labs SRL
CUI: RO33784095
B-dul Unirii nr 59, bl 59, et 5, ap 50, Focsani, Vrancea, Romania